From f6b77d7b42633f689be877e469173fa42a6877a8 Mon Sep 17 00:00:00 2001
From: Eno Compton <enocom@google.com>
Date: Tue, 13 Sep 2022 15:56:40 -0600
Subject: [PATCH] fix: set write permissions for group and other (#1405)

Fixes #1403.
---
 internal/proxy/proxy.go              |  6 ++++++
 internal/proxy/proxy_other_test.go   | 15 +++++++++++++++
 internal/proxy/proxy_test.go         |  2 ++
 internal/proxy/proxy_windows_test.go | 11 ++++++++++-
 4 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
index 834a0077d..a1b592136 100644
--- a/internal/proxy/proxy.go
+++ b/internal/proxy/proxy.go
@@ -626,6 +626,12 @@ func newSocketMount(ctx context.Context, conf *Config, pc *portConfig, inst Inst
 	if err != nil {
 		return nil, err
 	}
+	// Change file permisions to allow access for user, group, and other.
+	if network == "unix" {
+		// Best effort. If this call fails, group and other won't have write
+		// access.
+		_ = os.Chmod(address, 0777)
+	}
 	opts := conf.DialOptions(inst)
 	m := &socketMount{inst: inst.Name, dialOpts: opts, listener: ln}
 	return m, nil
diff --git a/internal/proxy/proxy_other_test.go b/internal/proxy/proxy_other_test.go
index 3435a68c1..12cc9db0f 100644
--- a/internal/proxy/proxy_other_test.go
+++ b/internal/proxy/proxy_other_test.go
@@ -17,6 +17,11 @@
 
 package proxy_test
 
+import (
+	"os"
+	"testing"
+)
+
 var (
 	pg         = "proj:region:pg"
 	pg2        = "proj:region:pg2"
@@ -25,3 +30,13 @@ var (
 	sqlserver  = "proj:region:sqlserver"
 	sqlserver2 = "proj:region:sqlserver2"
 )
+
+func verifySocketPermissions(t *testing.T, addr string) {
+	fi, err := os.Stat(addr)
+	if err != nil {
+		t.Fatalf("os.Stat(%v): %v", addr, err)
+	}
+	if fm := fi.Mode(); fm != 0777|os.ModeSocket {
+		t.Fatalf("file mode: want = %v, got = %v", 0777|os.ModeSocket, fm)
+	}
+}
diff --git a/internal/proxy/proxy_test.go b/internal/proxy/proxy_test.go
index f7fe6b78b..6be3150f9 100644
--- a/internal/proxy/proxy_test.go
+++ b/internal/proxy/proxy_test.go
@@ -283,6 +283,8 @@ func TestClientInitialization(t *testing.T) {
 			}
 
 			for _, addr := range tc.wantUnixAddrs {
+				verifySocketPermissions(t, addr)
+
 				conn, err := net.Dial("unix", addr)
 				if err != nil {
 					t.Fatalf("want error = nil, got = %v", err)
diff --git a/internal/proxy/proxy_windows_test.go b/internal/proxy/proxy_windows_test.go
index 44e850091..c266d3e52 100644
--- a/internal/proxy/proxy_windows_test.go
+++ b/internal/proxy/proxy_windows_test.go
@@ -14,7 +14,10 @@
 
 package proxy_test
 
-import "strings"
+import (
+	"strings"
+	"testing"
+)
 
 var (
 	pg         = strings.ReplaceAll("proj:region:pg", ":", ".")
@@ -24,3 +27,9 @@ var (
 	sqlserver  = strings.ReplaceAll("proj:region:sqlserver", ":", ".")
 	sqlserver2 = strings.ReplaceAll("proj:region:sqlserver2", ":", ".")
 )
+
+func verifySocketPermissions(t *testing.T, addr string) {
+	// On Linux and Darwin, we check that the socket named by addr exists with
+	// os.Stat. That operation is not supported on Windows.
+	// See https://github.com/microsoft/Windows-Containers/issues/97#issuecomment-887713195
+}